DMCKIB88
asked on
cross site scripting (XSS)
Help . . .
Application appears to be vulnerable to cross site scripting (XSS)
I need to HTML encode data before sending it to the browser
Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out open and closing parenthesis or convert them to their encoded equivalents
This is the page how do I change to stop this. Below page
__________________________ __________ __________
include("./_include/core/m ain_start. php");
class CPhotoEdit extends CHtmlBlock
{
function select_channel_name($chann el_id)
{
$result_channel = DB::query("SELECT name FROM videogallery_channels WHERE id = ".to_sql($channel_id, "Number")." and status = 'ACTIVE'");
$row_channel = DB::fetch_row();
return $row_channel;
}
function parseBlock(&$html)
{
global $g;
global $g_user;
$fla = get_param("fla", "");
$show = get_param("show", "");
$cat = get_param("cat", "");
$start = get_param("start", "");
if (empty($fla)) $fla="top_plays";
if (empty($show)) $show="all";
if (empty($cat)) $cat=0;
if (empty($start)) $start=0;
$result=DB::query("SELECT * FROM videogallery_channels WHERE status = 'ACTIVE'");
$num_cat=DB::num_rows();
if ($num_cat>0)
{
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("cat_id", 0);
$html->parse("all_categori es", true);
while ($row=DB::fetch_row())
{
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("cat_id", $row['id']);
$html->setvar("cat_name", $row['name']);
$html->parse("categories", true);
}
}
$eu = ($start - 0);
$limit = 15;
$this_page = $eu + $limit;
$back = $eu - $limit;
$next = $eu + $limit;
if (!empty($cat))
{
$channel_name = $this->select_channel_name ($cat);
$ch_nm = $channel_name[0];
$add_query=" and (videogallery_video.channe ls LIKE ".to_sql("%,".$ch_nm.",%") ." or videogallery_video.channel s LIKE ".to_sql("%,".$ch_nm)." or videogallery_video.channel s LIKE ".to_sql($ch_nm.",%").")";
}
else
{
$add_query="";
}
$title="";
if($fla=="top_plays")
{
if ($show=="today")
{
$query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide ogallery_w atch.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_watch .data))<=1 $add_query GROUP BY videogallery_watch.vid ORDER BY temp DESC";
$title="Today's Top Plays";
}
elseif ($show=="week")
{
$query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide ogallery_w atch.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_watch .data))<=7 $add_query GROUP BY videogallery_watch.vid ORDER BY temp DESC";
$title="Weekly Top Plays";
}
elseif ($show=="month")
{
$query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide ogallery_w atch.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_watch .data))<=3 1 $add_query GROUP BY videogallery_watch.vid ORDER BY temp DESC";
$title="Monthly Top Plays";
}
elseif ($show=="all")
{
$query_video = "select * from videogallery_video where status = 'ACTIVE' $add_query ORDER BY `no_of_times_viewed` DESC";
$title="All Top Plays";
}
}
elseif($fla=="just_added")
{
$query_video = "select * from videogallery_video where status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_video .video_dat e))<=1 $add_query";
$title="New Today";
}
elseif($fla=="most_comment s")
{
if ($show=="today")
{
# $query_video = "SELECT *, count( * ) AS temp FROM `videogallery_video` , `videogallery_comments` WHERE videogallery_comments.comm ent_id = videogallery_video.id AND videogallery_video.status = 'ACTIVE' AND videogallery_comments.comm ent_type = 'VIDEO' AND videogallery_comments.stat us = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_comme nts.data)) <=1 $add_query GROUP BY videogallery_video.id ORDER BY `temp` DESC";
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm ent_id = videogallery_video.id AND videogallery_comments.comm ent_type = 'VIDEO' AND videogallery_comments.stat us = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_comme nts.data)) <=1) AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
$title="Today's Most Comments";
}
elseif ($show=="week")
{
# $query_video = "SELECT *, count( * ) AS temp FROM `videogallery_video` , `videogallery_comments` WHERE videogallery_comments.comm ent_id = videogallery_video.id AND videogallery_video.status = 'ACTIVE' AND videogallery_comments.comm ent_type = 'VIDEO' AND videogallery_comments.stat us = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_comme nts.data)) <=7 $add_query GROUP BY videogallery_video.id ORDER BY `temp` DESC";
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm ent_id = videogallery_video.id AND videogallery_comments.comm ent_type = 'VIDEO' AND videogallery_comments.stat us = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_comme nts.data)) <=7) AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
$title="Weekly Most Comments";
}
elseif ($show=="month")
{
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm ent_id = videogallery_video.id AND videogallery_comments.comm ent_type = 'VIDEO' AND videogallery_comments.stat us = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_comme nts.data)) <=31) AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
$title="Monthly Most Comments";
}
elseif ($show=="all")
{
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm ent_id = videogallery_video.id AND videogallery_comments.comm ent_type = 'VIDEO' AND videogallery_comments.stat us = 'ACTIVE') AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
$title="All Most Comments";
}
}
elseif($fla=="top_rated")
{
if ($show=="today")
{
# $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=1 $add_query GROUP BY videogallery_rated.vid ORDER BY temp DESC";
$query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=1 ) AS temp FROM videogallery_video WHERE videogallery_video.status = 'ACTIVE' and (select count( * ) from videogallery_rated where videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=1 )>0 $add_query ORDER BY temp DESC";
$title="Today's Highest Rated";
}
elseif ($show=="week")
{
# $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=7 $add_query GROUP BY videogallery_rated.vid ORDER BY temp DESC";
$query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=7 ) AS temp FROM videogallery_video WHERE videogallery_video.status = 'ACTIVE' and (select count( * ) from videogallery_rated where videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=7 )>0 $add_query ORDER BY temp DESC";
$title="Weekly Highest Rated";
}
elseif ($show=="month")
{
# $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=3 1 $add_query GROUP BY videogallery_rated.vid ORDER BY temp DESC";
$query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=3 1) AS temp FROM videogallery_video WHERE videogallery_video.status = 'ACTIVE' and (select count( * ) from videogallery_rated where videogallery_video.id=vide ogallery_r ated.vid and (TO_DAYS(CURDATE())-TO_DAY S(videogal lery_rated .data))<=3 1)>0 $add_query ORDER BY temp DESC";
$title="Monthly Highest Rated";
}
elseif ($show=="all")
{
$query_video = "select * from videogallery_video where status = 'ACTIVE' $add_query ORDER BY `rate` DESC";
$title="All Highest Rated";
}
}
$query_video_all=$query_vi deo;
$query_video.=" limit ".to_sql($eu, "Number").", ".to_sql($limit, "Number")."";
$result=DB::query($query_v ideo_all);
$nume=DB::num_rows();
$xx=1;
$result_video = DB::query($query_video);
while ($row_video = DB::fetch_row())
{
$result_comment = DB::query("SELECT * FROM videogallery_comments WHERE comment_type = 'VIDEO' and comment_id = '".$row_video['id']."' and status = 'ACTIVE'",1);
$num_comment = DB::num_rows(1);
$html->setvar("video_id", $row_video['id']);
$html->setvar("video_image ", $row_video['video_image']) ;
$html->setvar("video_title ", $row_video['title']);
$html->setvar("video_plays ", $row_video['no_of_times_vi ewed']);
$html->setvar("video_comme nts", $num_comment);
$xx++;
if ($xx==4)
{
$html->parse("line_videos" , true);
$xx=1;
}
else $html->setblockvar("line_v ideos", "");
$html->parse("videos", true);
}
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("cat_id", $cat);
$html->setvar("this_count" , $eu+1);
if ($next<$nume)
{
$html->setvar("next_count" , $next);
}
else
{
$html->setvar("next_count" , $nume);
}
$html->setvar("all_count", $nume);
if ($nume/$limit>5) {
$tostart=$eu;
$tonume=(1+round($eu/15))* 15;
}
else {
$tostart=0;
$tonume=$nume;
}
if ($tostart>0) {
$html->setvar("toleft", $tostart-15);
$html->parse("left_2", true);
}
$l=$tostart/15+1;
for($i=$tostart;$i < $tonume;$i=$i+$limit)
{
$html->setblockvar("page_1 ", "");
$html->setblockvar("page", "");
if($i <> $eu){
$html->setvar("i", $i);
$html->setvar("l", $l);
$html->parse("page", true);
$html->setblockvar("page_1 ", "");
$html->parse("pages_1", true);
}
else {
$html->setvar("l", $l);
$html->setblockvar("page", "");
$html->parse("page_1", true);
$html->parse("pages_1", true);
}
$l=$l+1;
}
if ($nume>$tonume) {
$html->setvar("toright", $tonume);
$html->parse("right_2", true);
}
if($back >=0) {
$html->setvar("back", $back);
$html->parse("prev", true);
}
if ($back >=0&&$this_page < $nume)
{
$html->parse("separator", true);
}
if($this_page < $nume) {
$html->setvar("next", $next);
$html->parse("next", true);
}
$html->parse("pages", true);
parent::parseBlock($html);
}
}
class VidoHeader extends CHtmlBlock
{
var $sMessage = "";
function VidoHeader($name, $html_path)
{
$this->CHtmlBlock($name, $html_path);
}
function parseBlock(&$html)
{
global $g;
global $g_user;
$fla = get_param("fla", "");
$show = get_param("show", "");
$cat = get_param("cat", "");
$start = get_param("start", "");
if (empty($fla)) $fla="top_plays";
if (empty($show)) $show="all";
if (empty($cat)) $cat=0;
if (empty($start)) $start=0;
$result_cat=DB::query("SEL ECT * FROM videogallery_channels WHERE status = 'ACTIVE' and id=".to_sql($cat)."");
$num_cat=DB::num_rows();
if ($num_cat>0){
$row=DB::fetch_row();
$show_cat=$row['name'];
}
else{
$show_cat="All Categories";
}
$html->parse("navy", true);
$html->setvar("cur_page", "videogallery_video_view.p hp");
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("show_cat", $show_cat);
$html->setvar("cat", $cat);
$title="";
if($fla=="top_plays")
{
if ($show=="today")
{
$title="Today's Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="week")
{
$title="Weekly Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="month")
{
$title="Monthly Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="all")
{
$title="All Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
}
elseif($fla=="just_added")
{
$title="New Today";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("name_cat", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
}
elseif($fla=="most_comment s")
{
if ($show=="today")
{
$title="Today's Most Comments";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="week")
{
$title="Weekly Most Comments";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="month")
{
$title="Monthly Most Comments";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="all")
{
$title="All Most Comments";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s", true);
$html->parse("top_rated_a" , true);
$html->parse("top_rated_a1 ", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
}
elseif($fla=="top_rated")
{
if ($show=="today")
{
$title="Today's Highest Rated";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="week")
{
$title="Weekly Highest Rated";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="month")
{
$title="Monthly Highest Rated";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="all")
{
$title="All Highest Rated";
$html->parse("top_plays_a" , true);
$html->parse("top_plays_a1 ", true);
$html->parse("top_plays", true);
$html->parse("just_added_a ", true);
$html->parse("just_added_a 1", true);
$html->parse("just_added", true);
$html->parse("most_comment s_a", true);
$html->parse("most_comment s_a1", true);
$html->parse("most_comment s", true);
$html->parse("top_rated", true);
$html->parse("show_cat_r", true);
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
}
$html->parse("show_cat", true);
$html->setvar("title", $title);
$html->parse("title", true);
parent::parseBlock($html);
}
}
$page = new CPhotoEdit("", $g['tmpl']['dir_tmpl_main' ] . "videogallery_video_view.h tml");
$header = new CHeader("header", $g['tmpl']['dir_tmpl_main' ] . "_header.html");
$page->add($header);
$footer = new CFooter("footer", $g['tmpl']['dir_tmpl_main' ] . "_footer.html");
$page->add($footer);
$users_ims = new CIms("ims", $g['tmpl']['dir_tmpl_main' ] . "_ims.html");
$page->add($users_ims);
$vidoheader = new VidoHeader("videogallery_v ido_header ", $g['tmpl']['dir_tmpl_main' ] . "videogallery_vido_header. html");
$page->add($vidoheader);
include("./_include/core/m ain_close. php");
?>
Application appears to be vulnerable to cross site scripting (XSS)
I need to HTML encode data before sending it to the browser
Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out open and closing parenthesis or convert them to their encoded equivalents
This is the page how do I change to stop this. Below page
__________________________
include("./_include/core/m
class CPhotoEdit extends CHtmlBlock
{
function select_channel_name($chann
{
$result_channel = DB::query("SELECT name FROM videogallery_channels WHERE id = ".to_sql($channel_id, "Number")." and status = 'ACTIVE'");
$row_channel = DB::fetch_row();
return $row_channel;
}
function parseBlock(&$html)
{
global $g;
global $g_user;
$fla = get_param("fla", "");
$show = get_param("show", "");
$cat = get_param("cat", "");
$start = get_param("start", "");
if (empty($fla)) $fla="top_plays";
if (empty($show)) $show="all";
if (empty($cat)) $cat=0;
if (empty($start)) $start=0;
$result=DB::query("SELECT * FROM videogallery_channels WHERE status = 'ACTIVE'");
$num_cat=DB::num_rows();
if ($num_cat>0)
{
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("cat_id", 0);
$html->parse("all_categori
while ($row=DB::fetch_row())
{
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("cat_id", $row['id']);
$html->setvar("cat_name", $row['name']);
$html->parse("categories",
}
}
$eu = ($start - 0);
$limit = 15;
$this_page = $eu + $limit;
$back = $eu - $limit;
$next = $eu + $limit;
if (!empty($cat))
{
$channel_name = $this->select_channel_name
$ch_nm = $channel_name[0];
$add_query=" and (videogallery_video.channe
}
else
{
$add_query="";
}
$title="";
if($fla=="top_plays")
{
if ($show=="today")
{
$query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide
$title="Today's Top Plays";
}
elseif ($show=="week")
{
$query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide
$title="Weekly Top Plays";
}
elseif ($show=="month")
{
$query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide
$title="Monthly Top Plays";
}
elseif ($show=="all")
{
$query_video = "select * from videogallery_video where status = 'ACTIVE' $add_query ORDER BY `no_of_times_viewed` DESC";
$title="All Top Plays";
}
}
elseif($fla=="just_added")
{
$query_video = "select * from videogallery_video where status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAY
$title="New Today";
}
elseif($fla=="most_comment
{
if ($show=="today")
{
# $query_video = "SELECT *, count( * ) AS temp FROM `videogallery_video` , `videogallery_comments` WHERE videogallery_comments.comm
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm
$title="Today's Most Comments";
}
elseif ($show=="week")
{
# $query_video = "SELECT *, count( * ) AS temp FROM `videogallery_video` , `videogallery_comments` WHERE videogallery_comments.comm
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm
$title="Weekly Most Comments";
}
elseif ($show=="month")
{
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm
$title="Monthly Most Comments";
}
elseif ($show=="all")
{
$query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comm
$title="All Most Comments";
}
}
elseif($fla=="top_rated")
{
if ($show=="today")
{
# $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide
$query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=vide
$title="Today's Highest Rated";
}
elseif ($show=="week")
{
# $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide
$query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=vide
$title="Weekly Highest Rated";
}
elseif ($show=="month")
{
# $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=vide
$query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=vide
$title="Monthly Highest Rated";
}
elseif ($show=="all")
{
$query_video = "select * from videogallery_video where status = 'ACTIVE' $add_query ORDER BY `rate` DESC";
$title="All Highest Rated";
}
}
$query_video_all=$query_vi
$query_video.=" limit ".to_sql($eu, "Number").", ".to_sql($limit, "Number")."";
$result=DB::query($query_v
$nume=DB::num_rows();
$xx=1;
$result_video = DB::query($query_video);
while ($row_video = DB::fetch_row())
{
$result_comment = DB::query("SELECT * FROM videogallery_comments WHERE comment_type = 'VIDEO' and comment_id = '".$row_video['id']."' and status = 'ACTIVE'",1);
$num_comment = DB::num_rows(1);
$html->setvar("video_id", $row_video['id']);
$html->setvar("video_image
$html->setvar("video_title
$html->setvar("video_plays
$html->setvar("video_comme
$xx++;
if ($xx==4)
{
$html->parse("line_videos"
$xx=1;
}
else $html->setblockvar("line_v
$html->parse("videos", true);
}
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("cat_id", $cat);
$html->setvar("this_count"
if ($next<$nume)
{
$html->setvar("next_count"
}
else
{
$html->setvar("next_count"
}
$html->setvar("all_count",
if ($nume/$limit>5) {
$tostart=$eu;
$tonume=(1+round($eu/15))*
}
else {
$tostart=0;
$tonume=$nume;
}
if ($tostart>0) {
$html->setvar("toleft", $tostart-15);
$html->parse("left_2", true);
}
$l=$tostart/15+1;
for($i=$tostart;$i < $tonume;$i=$i+$limit)
{
$html->setblockvar("page_1
$html->setblockvar("page",
if($i <> $eu){
$html->setvar("i", $i);
$html->setvar("l", $l);
$html->parse("page", true);
$html->setblockvar("page_1
$html->parse("pages_1", true);
}
else {
$html->setvar("l", $l);
$html->setblockvar("page",
$html->parse("page_1", true);
$html->parse("pages_1", true);
}
$l=$l+1;
}
if ($nume>$tonume) {
$html->setvar("toright", $tonume);
$html->parse("right_2", true);
}
if($back >=0) {
$html->setvar("back", $back);
$html->parse("prev", true);
}
if ($back >=0&&$this_page < $nume)
{
$html->parse("separator", true);
}
if($this_page < $nume) {
$html->setvar("next", $next);
$html->parse("next", true);
}
$html->parse("pages", true);
parent::parseBlock($html);
}
}
class VidoHeader extends CHtmlBlock
{
var $sMessage = "";
function VidoHeader($name, $html_path)
{
$this->CHtmlBlock($name, $html_path);
}
function parseBlock(&$html)
{
global $g;
global $g_user;
$fla = get_param("fla", "");
$show = get_param("show", "");
$cat = get_param("cat", "");
$start = get_param("start", "");
if (empty($fla)) $fla="top_plays";
if (empty($show)) $show="all";
if (empty($cat)) $cat=0;
if (empty($start)) $start=0;
$result_cat=DB::query("SEL
$num_cat=DB::num_rows();
if ($num_cat>0){
$row=DB::fetch_row();
$show_cat=$row['name'];
}
else{
$show_cat="All Categories";
}
$html->parse("navy", true);
$html->setvar("cur_page", "videogallery_video_view.p
$html->setvar("fla", $fla);
$html->setvar("show", $show);
$html->setvar("show_cat", $show_cat);
$html->setvar("cat", $cat);
$title="";
if($fla=="top_plays")
{
if ($show=="today")
{
$title="Today's Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="week")
{
$title="Weekly Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="month")
{
$title="Monthly Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="all")
{
$title="All Top Plays";
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
}
elseif($fla=="just_added")
{
$title="New Today";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("name_cat", true);
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
}
elseif($fla=="most_comment
{
if ($show=="today")
{
$title="Today's Most Comments";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="week")
{
$title="Weekly Most Comments";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="month")
{
$title="Monthly Most Comments";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="all")
{
$title="All Most Comments";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("top_rated_a"
$html->parse("top_rated_a1
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
}
elseif($fla=="top_rated")
{
if ($show=="today")
{
$title="Today's Highest Rated";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="week")
{
$title="Weekly Highest Rated";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="month")
{
$title="Monthly Highest Rated";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month", true);
$html->parse("all_a", true);
$html->parse("all_a1", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
elseif ($show=="all")
{
$title="All Highest Rated";
$html->parse("top_plays_a"
$html->parse("top_plays_a1
$html->parse("top_plays", true);
$html->parse("just_added_a
$html->parse("just_added_a
$html->parse("just_added",
$html->parse("most_comment
$html->parse("most_comment
$html->parse("most_comment
$html->parse("top_rated", true);
$html->parse("show_cat_r",
$html->parse("today_a", true);
$html->parse("today_a1", true);
$html->parse("today", true);
$html->parse("week_a", true);
$html->parse("week_a1", true);
$html->parse("week", true);
$html->parse("month_a", true);
$html->parse("month_a1", true);
$html->parse("month", true);
$html->parse("all", true);
$html->parse("name_cat", true);
$html->parse("show_for", true);
}
}
$html->parse("show_cat", true);
$html->setvar("title", $title);
$html->parse("title", true);
parent::parseBlock($html);
}
}
$page = new CPhotoEdit("", $g['tmpl']['dir_tmpl_main'
$header = new CHeader("header", $g['tmpl']['dir_tmpl_main'
$page->add($header);
$footer = new CFooter("footer", $g['tmpl']['dir_tmpl_main'
$page->add($footer);
$users_ims = new CIms("ims", $g['tmpl']['dir_tmpl_main'
$page->add($users_ims);
$vidoheader = new VidoHeader("videogallery_v
$page->add($vidoheader);
include("./_include/core/m
?>
This looks like a homework question. You're not allowed to ask people to do your homework for you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is not my homework, but I had my program written for me and HackerSafe says that the program should not run, because of the cross site scripting. I will give you any points to solve this for me. If you need more of the program please let me know which part. Thanks
Thanks for ignoring my comments goodnight and good luck.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I entered the same title, because it was the same question on different files. I do have experience, but If this is a security issue I thought that maybe with the experts on this site that I could come up with other ideas.
Sorry if this is too much. Thanks,
Sorry if this is too much. Thanks,
I think two of the three questions should be deleted, perhaps the two that really don't have any good answers?
I only see the need for one of these posts. Another user said this is "homework." You can decide on this, however.
I only see the need for one of these posts. Another user said this is "homework." You can decide on this, however.
ASKER
HTML encode data before sending it to the browser.
Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out open and closing parenthesis or convert them to their encoded equivalents.
This is their suggestion.
Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out open and closing parenthesis or convert them to their encoded equivalents.
This is their suggestion.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.